May 18, 2007

Is this Risk Management's Waterloo?

So why can't we do it? In short, we do know that all security is really about risk management. So we just do risk management, right?

Igor says we can do it, in comments. Chandler says it is hard. He lists a dozen or so reasons why.

To which I'll add one: the attacker is aggressive. Whatever we measure, the attacker actively perverts. So, unlike insurance models, security doesn't work well with just statistics. Much as we say we need more data, if we had all the data in the world, and fixed what we could see, the attacker would simply move faster than we could.

A trio of notes:

  • Note that this isn't to say that he is the uber-attacker, the Superman recently much discussed. He's just us, on the other side. Or, better yet, pick the middling competent programmer down the hall. We fix the bugs, why can't they? The point being to stop thinking about the bipolar choice of attacker as dense as mould, or as smart as Moriarty.
  • Another thing that Lynn has pointed out is that the attacker can outspend the defender, sometimes as much as by 100:1. Indeed, recently, the USG agencies were reported to receive $10m in funding ... for an attacker that is causing losses of more than a billion per year.
  • On the question of "more data," a meme that is somewhat current: the paper that Igor mentioned pointed to which is some sort of volunteer group to validate URLs, and provide data. They are the same people as which provide DNS with a phishing filter. Nice twist, but note the perversion.

So, there are some issues here. Are there limits to the risk management approach, beyond the fact that it seems to be beyond the capabilities of the industry? Has it reached its Waterloo, against the active, mildly competent attacker with 100 times the spend?

Posted by iang at May 18, 2007 07:46 AM | TrackBack


To clarify, I just said that security people by large are familiar with concepts of probabilities (the point that Paul Ohm in "the Myth of the Superuser", referred in the previous post, seemed to deny).

If you ask me, security is about risk, economics, psychology and usability together (as well as politics), hence solving the problems by concentrating on any single of those things would unlikely to be successful.

Posted by: Igor Drokov at May 18, 2007 10:52 AM

old, long winded post about the thread between risk management and information security

for little side track ... risk management is more than security issues ... "insurance" traditionally is part of a risk management toolkit and used for things far from traditional security issues. for other issues see BIS and BASEL

in the past, i've hypothesized that there have been instances where a risk adverse organization has avoided addressing a problem (say ISP with regard to incoming/ingress from their customers ... filtering long before it got to the destination end) since they might then be held accountable if the measures weren't perfect (and then got sued). They sidestepped liability by doing nothing (at least until some sort of gov. authority steps in and mandates something)

some of these scenarios is that not doing something might put their customers at risk ... but wouldn't directly affect the institutions. doing something that turned out to be not one hundred percent perfect created more risk and liability to the institution than doing nothing.

this old post is about security (aka countermeasures) proportional to risk

where the value to the attacker is several times larger than the value to the defender ... and is somewhat related to the whole "naked transaction" discussion

from a slightly different perspective

i also had these discussions/arguments in the early & mid 90s about ISPs being able to just about eliminate IP-address spoofing and DOS attacks with ingress filtering (this was before botnets and DDOS attacks).

when we were working on the financial industry privacy standard (including some of the discloser issues), we made the comment that it was going to require some culture change for institutional risk and security professionals. traditionally, institutional risk & security professionals were looking at protection of the institution. various gov. mandates were forcing institutional risk & security professionals to start thinking about protecting the institution's customers (in some of the scenarios even protecting the customers from the institution).

Posted by: Lynn Wheeler at May 18, 2007 11:37 AM

"Are there limits to the risk management approach, beyond the fact that it seems to be beyond the capabilities of the industry?"

The past two days I've had the pleasure of sitting with the best and the brightest in the state of Ohio in an all Infragard/ISSA/ISACA event. About 300 people. Now I don't know all of them, but those I do know encompass Ohio's largest retailers, F.I.'s and other Fortune 500's.

I can count on one hand the number of companies who:

1.) Have a risk management approach

2.) "Get it"

I think it's too early to say that there *even exists* a risk management approach (not analysis or assessment, or remediation of vulnerabilities with some probability dust sprinkled on the VM lifecycle, but *risk management*). Not as I know risk, certainly not.

Posted by: Alex at May 18, 2007 05:58 PM

When I started studying compsci in 1985, my professors told me that C was a bad programming language because it wasn't type-safe, and that there were "security implications." Nevertheless, when I graduated, I and everyone else doing significant programming work among my fellow students was using C.

With the runtime architecture of C and C++, any programming mistake has the potential of allowing an attacker to inject arbitrary code by overwriting a return address or a function pointer. In March, an exploit was published for OpenBSD, which overwrote a function pointer in the heap of the kernel and gave an attacker full control of the machine. The bug had been present for years. Is there anyone who doubts that in 50 years, all operating systems now in use will be considered ludicrously unsafe?

As long as we are sticking with a runtime architecture that allows an attacker to potentially let any program function as anyprogram, risk management is an euphemism for crisis management.

Posted by: Felix at May 20, 2007 07:55 AM

re: Is this Risk Management's Waterloo?

i.e. insurance, alarms, bumpers, guard rails, etc are all types risk mitigation.

possibility is that with regard to information systems, very few people have any fundamental understanding of related threats, vulnerabilities, etc. ... i.e. w/o any fundamental understanding how information systems operate ... any treat and vulnerability analysis will miss enormous number of issues.

for slightly related topic drift Owned .gov machines (was Re: Russian cyberwar against Estonia?)

the above is specific with regard to implementations that evolved from a non-hostile and disconnected environment with few or little countermeasures.

now some of the more systems that are considered quite a bit more secure 1) have been implemented in languages other than "C" and are remarkably free of the buffer overrun/overflow types of exploits and 2) originally assumed a potentially hostile environment and so risk mitigation permeates all aspects of design and implementation.

for other drift ... my work on merged taxonomies and glossaries

I've drawn on numerous sources for merged security taxonomy and glossary

click on "risk management" in the glossary "fastpath" and there are broad range of definitions ... some specific to information systems and others more general.

from GAO 06-91:

A continuous process of managing through a series of mitigating actions that permeate an entity's activities, the likelihood of an adverse event and its negative impact. Risk management addresses risk before mitigating action, as well as the risk that remains after countermeasures have been taken.

... snip ...

Posted by: Lynn Wheeler at May 20, 2007 11:27 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.